Firewall Wizards mailing list archives
Re: Content Switch as security device?
From: Duncan Sharp <drsharp () pacbell net>
Date: Wed, 29 Jan 2003 15:54:55 -0800
"Ludolph, Michel" wrote:
This afternoon I had a discussion with a collegue. He told me about a proposed Corporate Internet connection. In stead of using a Firewall between the DMZ and the external network, the idea was to use a Cisco Content Switch. This would result in the following architecture: Internet --> screening router --> Content Switch --> router --> web servers.
I would move the "Content Switch" between router and "web servers". Now the Content switch and web servers can be isolated to a DMZ. The CSS (Content Server Switch) is not a firewall, but it has firewall features: If you use IP destination address load balancing, then all ports are addressable. If you use destination port, or url content load balancing, then only the ports defined are opened. The CSS does a complete gateway connection spoof for layer 4+ connections. Your web servers can have RFC 1918 adresses. It can also be a OSPF router, but I still don't see any security passwords for this.
This would mean that the Content Switch also acts as a sort of proxy-firewall, justified by the fact that only defined ports are permitted. I do not feel very comfortable with this solution. What about syn-floods and fragmentation attacks? Furhter, a Content Switch is not designed to act as a security device (it may listen to ports you are not aware of).
It does do SYN flood defending. It also does anti-spoofing, by default.. It does have several default ports open: 22 - sshd (if you purchase this option) 23 - telnetd 80 - httpd 21 - ftpd (push a updated OS, download crash file) 8081 - XML (I think this is the one) There is a RS232 console port. And there is a Management Network (10bt). Supports local user accounts (pre 5.0), radius auth (5.0+), TACACS+ (5.03).
Has anyone come across such a solution, or have any thougths on this?
It looks better with ver. 5.0 OS. I used 3.X to 4.01. Take a close look at the release notes, they are publicly avail. I see in ver. 5.03 you can still crash a CSS in configuration mode (CSCdv55143). Stability of the OS has been a difficult goal.
Thanks,
Yours, Duncan Sharp
Michel Ludolph michel.ludolph () atosorigin com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Content Switch as security device? Ludolph, Michel (Jan 29)
- Re: Content Switch as security device? Dave Mitchell (Jan 29)
- Re: Content Switch as security device? Gary Flynn (Jan 30)
- Re: Content Switch as security device? Duncan Sharp (Jan 29)
- Re: Content Switch as security device? Ben Nagy (Jan 30)
- Re: Content Switch as security device? Dave Mitchell (Jan 29)